WEBVTT 00:00:00.000 --> 00:00:02.740 Welcome to the deep dive. You know, picture the 00:00:02.740 --> 00:00:05.179 control room of an airport or the core banking 00:00:05.179 --> 00:00:07.200 systems that are processing millions of transactions 00:00:07.200 --> 00:00:09.960 a minute or even a hospital network that's managing 00:00:09.960 --> 00:00:12.039 all our patient records. These are the engines 00:00:12.039 --> 00:00:14.839 of modern life. They are. And we have this this 00:00:14.839 --> 00:00:17.539 implicit trust that they're being protected by 00:00:17.539 --> 00:00:20.000 the absolute best defense systems available. 00:00:20.539 --> 00:00:22.399 And that trust, well, that brings us to one of 00:00:22.399 --> 00:00:24.780 the biggest paradoxes of our whole digital economy. 00:00:24.960 --> 00:00:27.820 The companies we hire, the technology we deploy 00:00:27.820 --> 00:00:32.100 to act as this ultimate barrier against chaos. 00:00:32.460 --> 00:00:35.340 Against state -sponsored hacking, corporate espionage, 00:00:35.479 --> 00:00:38.100 all of it. Right. They inevitably become these 00:00:38.100 --> 00:00:41.539 points of profound centralized systemic risk. 00:00:41.880 --> 00:00:44.219 They're the ones holding the master key. That 00:00:44.219 --> 00:00:46.780 is the core tension we are exploring today. Our 00:00:46.780 --> 00:00:49.479 mission is a deep dive into CrowdStrike Holdings, 00:00:49.479 --> 00:00:51.890 Inc. We are looking at a company that successfully 00:00:51.890 --> 00:00:54.990 scaled from a small, really aggressive startup 00:00:54.990 --> 00:00:57.570 focused on catching the world's most sophisticated 00:00:57.570 --> 00:01:00.530 threat actors. And we're talking Chinese espionage 00:01:00.530 --> 00:01:03.090 rings, Russian intelligence operations, the big 00:01:03.090 --> 00:01:06.769 leagues. Exactly. To a multibillion dollar financial 00:01:06.769 --> 00:01:10.390 powerhouse that is now, well, it's utterly indispensable 00:01:10.390 --> 00:01:13.269 to global IT infrastructure. The sources reveal 00:01:13.269 --> 00:01:16.629 a just an incredible trajectory. I mean, they're 00:01:16.629 --> 00:01:19.680 a component of the Nasdaq and the S &P 500. They're 00:01:19.680 --> 00:01:22.879 reporting, what, US $3 .95 billion in revenue 00:01:22.879 --> 00:01:26.239 for fiscal year 2025. They're an absolute leader 00:01:26.239 --> 00:01:28.700 in endpoint security and threat intelligence. 00:01:28.959 --> 00:01:31.459 But the very success they achieved, the thing 00:01:31.459 --> 00:01:34.060 that made them so indispensable, is exactly what 00:01:34.060 --> 00:01:37.099 created the conditions for a failure of spectacular 00:01:37.099 --> 00:01:40.540 scale. A failure that touched almost everyone. 00:01:40.799 --> 00:01:43.280 We have to unpack that catastrophic day in July 00:01:43.280 --> 00:01:47.180 2024 when a routine software update, an update 00:01:47.180 --> 00:01:49.260 issued by this company built to prevent cyber 00:01:49.260 --> 00:01:52.400 chaos, became the source of a massive real -world 00:01:52.400 --> 00:01:55.079 global IT meltdown. It grounded flights, it paralyzed 00:01:55.079 --> 00:01:57.359 9 -11 centers. And it forced system administrators 00:01:57.359 --> 00:01:59.879 worldwide into a state of just absolute panic. 00:02:00.040 --> 00:02:01.700 It's a study in complexity and concentration 00:02:01.700 --> 00:02:03.640 risks. So let's look at how they built that power 00:02:03.640 --> 00:02:05.760 base in the first place. Okay, let's unpack this. 00:02:06.659 --> 00:02:10.219 So CrowdStrike wasn't founded to, you know, sell 00:02:10.219 --> 00:02:13.139 firewalls or basic antivirus. It was purpose 00:02:13.139 --> 00:02:16.060 built for high stakes. digital conflict. Right 00:02:16.060 --> 00:02:18.039 from the beginning, the company launched in 2011, 00:02:18.240 --> 00:02:21.419 and the founding team had, I mean, deep experience 00:02:21.419 --> 00:02:24.099 in the security world. You had George Kurtz, 00:02:24.180 --> 00:02:26.620 the CEO. Dimitri Albirovitch, who was the former 00:02:26.620 --> 00:02:30.379 CTO, a huge name in the space. A huge name. And 00:02:30.379 --> 00:02:32.960 Greg Marston, the CFO, who has since retired. 00:02:33.139 --> 00:02:35.400 And what defines the company's identity right 00:02:35.400 --> 00:02:37.860 from the outset is this intense focus on the 00:02:37.860 --> 00:02:40.259 adversary, not just the technical artifact. Exactly. 00:02:40.520 --> 00:02:42.620 They weren't interested in just generic malware. 00:02:42.840 --> 00:02:45.229 They wanted to name shame. and track the state 00:02:45.229 --> 00:02:47.689 -sponsored groups behind the attacks. Their whole 00:02:47.689 --> 00:02:51.370 focus was forensic and attributional. And they 00:02:51.370 --> 00:02:53.629 solidified this reputation really early on by 00:02:53.629 --> 00:02:55.650 bringing in some serious operational expertise. 00:02:55.949 --> 00:02:58.409 Oh, yeah. In 2012, they made a key strategic 00:02:58.409 --> 00:03:01.430 hire, Sean Henry. A former high -ranking official 00:03:01.430 --> 00:03:03.789 from the FBI, he was brought in to lead their 00:03:03.789 --> 00:03:06.509 subsidiary, CrowdStrike Services, Inc. And that 00:03:06.509 --> 00:03:09.090 move, it signaled immediately that CrowdStrike 00:03:09.090 --> 00:03:11.659 was not just another software vendor. It was 00:03:11.659 --> 00:03:14.159 offering elite security and incident response 00:03:14.159 --> 00:03:16.879 services. It was bringing a kind of government 00:03:16.879 --> 00:03:20.280 level investigative rigor to corporate cyber 00:03:20.280 --> 00:03:23.099 defense. So when a major company or a government 00:03:23.099 --> 00:03:26.240 agency got hit with a complex breach, CrowdStrike 00:03:26.240 --> 00:03:28.939 wanted to be the team you called. The specialized 00:03:28.939 --> 00:03:31.139 experience team that would come in and figure 00:03:31.139 --> 00:03:33.650 out not just what happened, but. Who did it and 00:03:33.650 --> 00:03:36.449 why? And that whole investigative mindset was 00:03:36.449 --> 00:03:38.669 baked directly into their first major product. 00:03:38.849 --> 00:03:42.090 In June 2013, they launched CrowdStrike Falcon. 00:03:42.270 --> 00:03:44.669 Right. And while it functioned as an antivirus 00:03:44.669 --> 00:03:46.909 package, its real innovation, the thing that 00:03:46.909 --> 00:03:49.550 changed the game, was in endpoint detection and 00:03:49.550 --> 00:03:52.479 response. So let's explain that because it's 00:03:52.479 --> 00:03:54.719 a key concept. What does that actually mean for 00:03:54.719 --> 00:03:56.860 the listener? Well, traditional antivirus was 00:03:56.860 --> 00:03:59.080 reactive. It scanned your computer for known 00:03:59.080 --> 00:04:01.219 signatures, you know, fingerprints of malware 00:04:01.219 --> 00:04:03.000 that had already been identified. So we'd only 00:04:03.000 --> 00:04:05.199 catch things it already knew about. Precisely. 00:04:05.740 --> 00:04:08.939 Falcon, being cloud -based and focused on EDR, 00:04:09.180 --> 00:04:12.599 it shifted the whole emphasis to threat, intelligence, 00:04:12.680 --> 00:04:15.780 and proactive behavior analysis. It watched the 00:04:15.780 --> 00:04:18.199 endpoints, your laptop, your company's servers, 00:04:18.360 --> 00:04:21.379 for suspicious activity. activity that suggested 00:04:21.379 --> 00:04:24.339 a human adversary, a bad guy as they put it, 00:04:24.399 --> 00:04:27.410 was present. Even if they weren't using any known 00:04:27.410 --> 00:04:29.670 malware. Yeah. This approach allowed them to 00:04:29.670 --> 00:04:32.569 spot the sophisticated, stealthy intruders that 00:04:32.569 --> 00:04:35.189 all the legacy systems were just completely missing. 00:04:35.350 --> 00:04:37.269 And because they were monitoring for the most 00:04:37.269 --> 00:04:39.829 sophisticated threats, their early investigation 00:04:39.829 --> 00:04:42.889 portfolio was immediately relevant. I mean, it 00:04:42.889 --> 00:04:45.170 had significant geopolitical weight. They were 00:04:45.170 --> 00:04:46.949 basically acting as an extension of national 00:04:46.949 --> 00:04:49.310 intelligence services, often making reports public 00:04:49.310 --> 00:04:51.129 that, you know, the government couldn't or wouldn't 00:04:51.129 --> 00:04:53.009 for political reasons. And this started almost 00:04:53.009 --> 00:04:54.930 immediately with their work on China. Right. 00:04:55.019 --> 00:04:56.740 Right. CrowdStrike's reports were absolutely 00:04:56.740 --> 00:04:58.660 central to the U .S. Department of Justice's 00:04:58.660 --> 00:05:02.079 decision in May of 2014 to actually charge five 00:05:02.079 --> 00:05:05.399 specific Chinese military hackers. Which is a 00:05:05.399 --> 00:05:08.060 huge step. They moved from this abstract concept 00:05:08.060 --> 00:05:12.220 of state espionage to identifying specific, chargeable 00:05:12.220 --> 00:05:14.720 individuals within the Chinese military apparatus. 00:05:15.139 --> 00:05:17.680 I mean, that is a massive operational leap for 00:05:17.680 --> 00:05:19.779 a private company. And they also became experts 00:05:19.779 --> 00:05:22.220 in naming and tracking these specific Chinese 00:05:22.220 --> 00:05:25.180 state -sponsored groups. For instance, in 2014, 00:05:25.480 --> 00:05:28.920 they identified Putter Panda. A group they traced 00:05:28.920 --> 00:05:32.560 all the way back to PLA unit 61486. So again, 00:05:32.639 --> 00:05:34.660 they weren't just detecting malware. They were 00:05:34.660 --> 00:05:37.560 mapping the actual organizational structure of 00:05:37.560 --> 00:05:40.240 foreign military cyber units. And this capability, 00:05:40.579 --> 00:05:43.139 this sort of ground truth they had, it gave them 00:05:43.139 --> 00:05:44.899 the confidence to be pretty provocative. Oh, 00:05:44.899 --> 00:05:48.019 very. In October 2015, they reported alleged 00:05:48.019 --> 00:05:50.139 Chinese hacking that was targeting technology 00:05:50.139 --> 00:05:52.300 and pharmaceutical companies. And what makes 00:05:52.300 --> 00:05:54.319 that report so significant is the timing. The 00:05:54.319 --> 00:05:56.920 timing is everything. It came just after U .S. 00:05:56.920 --> 00:05:58.750 President Obama Obama and China's leader, Xi 00:05:58.750 --> 00:06:02.089 Jinping, had struck this very public high level 00:06:02.089 --> 00:06:05.750 agreement promising not to conduct economic espionage 00:06:05.750 --> 00:06:07.589 against each other. So CrowdStrike's findings 00:06:07.589 --> 00:06:09.850 essentially alleged a high profile violation 00:06:09.850 --> 00:06:11.990 of that agreement almost as soon as the ink was 00:06:11.990 --> 00:06:14.470 dry. It demonstrates incredible institutional 00:06:14.470 --> 00:06:17.670 confidence. But their focus wasn't only on China. 00:06:17.810 --> 00:06:20.870 They were just as active tracking Russian intelligence 00:06:20.870 --> 00:06:23.269 groups. Right. They uncovered the activities 00:06:23.269 --> 00:06:26.050 of a group called Energetic Bear. A group they 00:06:26.050 --> 00:06:28.350 linked directly to Russia's Federal Security 00:06:28.350 --> 00:06:32.449 Service, the FSB. And what stood out about Energetic 00:06:32.449 --> 00:06:35.689 Bear was its primary target set. The global energy 00:06:35.689 --> 00:06:38.230 sector. The global energy sector. It showed this 00:06:38.230 --> 00:06:41.810 clear tactical connection between cyber operations. 00:06:41.959 --> 00:06:45.560 and securing influence over critical infrastructure. 00:06:45.920 --> 00:06:48.139 And then, of course, there was the 2014 Sony 00:06:48.139 --> 00:06:51.060 Pictures hack, which was just a watershed moment 00:06:51.060 --> 00:06:54.399 in corporate cyber attack. A huge moment. CrowdStrike 00:06:54.399 --> 00:06:56.720 was retained for the cleanup and analysis. They 00:06:56.720 --> 00:06:58.899 were instrumental in uncovering the evidence 00:06:58.899 --> 00:07:01.040 that implicated the government of North Korea. 00:07:01.279 --> 00:07:03.660 They provided really granular detail, didn't 00:07:03.660 --> 00:07:05.579 they? I remember reading that they even used 00:07:05.579 --> 00:07:08.540 forensic clues, like a distinctive typo that 00:07:08.540 --> 00:07:11.160 was embedded in the malware code, to attribute... 00:07:11.180 --> 00:07:12.899 at the attack with high confidence. That's right. 00:07:12.980 --> 00:07:14.939 They demonstrated the actual mechanics of how 00:07:14.939 --> 00:07:17.339 the attack was successfully carried out. So their 00:07:17.339 --> 00:07:19.620 early history really establishes them as this 00:07:19.620 --> 00:07:23.300 ultimate high stakes digital detective focused 00:07:23.300 --> 00:07:25.839 on nation state actors. But it wasn't just about 00:07:25.839 --> 00:07:28.600 catching the attackers. It was also about identifying 00:07:28.600 --> 00:07:31.579 flaws deep within the foundational systems that 00:07:31.579 --> 00:07:34.100 run our entire digital world. And that brings 00:07:34.100 --> 00:07:38.620 us to Venom. In May 2015, CrowdStrike released 00:07:38.620 --> 00:07:41.139 information about this really critical vulnerability. 00:07:41.660 --> 00:07:44.220 And this wasn't malware. This was something much 00:07:44.220 --> 00:07:47.160 deeper, a profound flaw in the very architecture 00:07:47.160 --> 00:07:49.319 of cloud computing. OK, let's talk about the 00:07:49.319 --> 00:07:50.879 technical impact here, because it gets a little 00:07:50.879 --> 00:07:52.899 technical, but it's intensely relevant to their 00:07:52.899 --> 00:07:56.620 story. Venom was a critical flaw in QEU. The 00:07:56.620 --> 00:07:59.220 quick emulator, an open source hypervisor. So 00:07:59.220 --> 00:08:01.480 for our listener, the hypervisor is that foundational 00:08:01.480 --> 00:08:04.180 software layer. It's what allows the big cloud 00:08:04.180 --> 00:08:08.100 providers like Google or AWS to run dozens or 00:08:08.100 --> 00:08:10.759 even hundreds of isolated secure virtual machines 00:08:10.759 --> 00:08:14.240 or VMs on a single piece of physical server hardware. 00:08:14.540 --> 00:08:16.420 It's what keeps your cloud data separate from 00:08:16.420 --> 00:08:18.160 your neighbor's data. It's supposed to be the 00:08:18.160 --> 00:08:20.600 unbreakable wall between those VMs. Precisely. 00:08:20.600 --> 00:08:24.060 And Venom was a flaw that allowed a malicious 00:08:24.060 --> 00:08:27.519 actor, someone running code within a single contained 00:08:27.519 --> 00:08:31.759 virtual machine, say a testing sandbox, to execute. 00:08:31.980 --> 00:08:34.539 a vm breakout meaning the hacker could escape 00:08:34.539 --> 00:08:37.340 their designated digital cage and gain access 00:08:37.340 --> 00:08:40.200 to the physical server itself and critically 00:08:40.200 --> 00:08:43.460 access all the sensitive personal and corporate 00:08:43.460 --> 00:08:45.799 data stored on all the other virtual machines 00:08:45.799 --> 00:08:49.159 running on that same server that is just catastrophic 00:08:49.159 --> 00:08:52.039 for cloud security. It completely destroys the 00:08:52.039 --> 00:08:55.100 core principle of isolation that the entire modern 00:08:55.100 --> 00:08:58.259 cloud computing model is built on. Yeah. CrowdStrike's 00:08:58.259 --> 00:09:00.419 discovery of Venom wasn't just another vulnerability 00:09:00.419 --> 00:09:02.519 finding. It was a demonstration to the market 00:09:02.519 --> 00:09:04.259 that they understood infrastructure security 00:09:04.259 --> 00:09:07.019 at the deepest possible level. So was that an 00:09:07.019 --> 00:09:09.580 act of purely responsible disclosure or was it 00:09:09.580 --> 00:09:12.240 a really savvy strategic marketing move designed 00:09:12.240 --> 00:09:14.340 to show off their foundational systems knowledge 00:09:14.340 --> 00:09:16.720 to prospective clients? I mean, it was likely 00:09:16.720 --> 00:09:20.320 both, right? But the outcome was clear. CrowdStrike 00:09:20.320 --> 00:09:23.000 positioned itself as maybe the only company capable 00:09:23.000 --> 00:09:25.159 of fighting the biggest, most complex threats, 00:09:25.379 --> 00:09:29.720 whether they came from PLA Unit 64586 or a flaw 00:09:29.720 --> 00:09:31.580 in the fundamental architecture of the Internet. 00:09:31.740 --> 00:09:34.940 And that identity, high risk, high competence, 00:09:35.179 --> 00:09:38.460 high geopolitical relevance, that's the engine 00:09:38.460 --> 00:09:40.649 that drove their next phase. just spectacular 00:09:40.649 --> 00:09:43.509 financial scaling. The transition from that high 00:09:43.509 --> 00:09:45.710 stakes consulting firm we just described to a 00:09:45.710 --> 00:09:48.409 multibillion dollar financial juggernaut was 00:09:48.409 --> 00:09:50.490 I mean, it was breathtakingly fast. You just 00:09:50.490 --> 00:09:52.730 directly reflects the sheer market demand for 00:09:52.730 --> 00:09:55.769 their unique threat centric cloud native security 00:09:55.769 --> 00:09:58.149 model. The investor confidence was immediate. 00:09:58.679 --> 00:10:01.500 In July 2015, they secured their Series C funding, 00:10:01.600 --> 00:10:03.919 and that round notably included an investment 00:10:03.919 --> 00:10:07.159 from Google. By May 2019, they had raised a remarkable 00:10:07.159 --> 00:10:10.720 total of $480 million in various funding rounds. 00:10:10.940 --> 00:10:13.139 And the valuation milestones, they just illustrate 00:10:13.139 --> 00:10:15.240 how quickly the market recognized their indispensable 00:10:15.240 --> 00:10:18.299 position. They reached the revered unicorn status, 00:10:18.639 --> 00:10:21.750 a valuation over a billion dollars by 2017. And 00:10:21.750 --> 00:10:23.909 at that point, they were already estimating an 00:10:23.909 --> 00:10:27.529 annual recurring revenue of $100 million. And 00:10:27.529 --> 00:10:31.149 the growth was truly exponential. By June 2018, 00:10:31.450 --> 00:10:34.129 just one year later, that valuation had jumped 00:10:34.129 --> 00:10:36.850 to over $3 billion. They attracted some really 00:10:36.850 --> 00:10:39.230 serious institutional backing. We're talking 00:10:39.230 --> 00:10:42.409 Telstra, March Capital Partners, Rackspace, Excel 00:10:42.409 --> 00:10:45.679 Partners, Warburg Pincus. These investors saw 00:10:45.679 --> 00:10:47.960 a company that wasn't just disrupting a market. 00:10:48.019 --> 00:10:50.299 It was completely redefining it. And that rapid 00:10:50.299 --> 00:10:52.759 ascent led directly to their blockbuster 2019 00:10:52.759 --> 00:10:55.580 initial public offering on the Nasdaq. An IPO 00:10:55.580 --> 00:10:58.399 where shares just soared over 70 % in their trading 00:10:58.399 --> 00:11:00.759 debut, instantly valuing the company at more 00:11:00.759 --> 00:11:03.419 than $11 billion. This market valuation wasn't 00:11:03.419 --> 00:11:05.620 just speculation. It was a firm statement that 00:11:05.620 --> 00:11:07.740 CrowdStrike was seen as an essential utility 00:11:07.740 --> 00:11:10.440 for the digital age, a critical piece of infrastructure 00:11:10.440 --> 00:11:12.899 in and of itself. And that institutional validation 00:11:12.899 --> 00:11:15.759 just kept coming. It culminated in their inclusion 00:11:15.759 --> 00:11:18.779 in the prestigious S &P 500 index in June of 00:11:18.779 --> 00:11:21.169 2024. right before the major incident we're going 00:11:21.169 --> 00:11:23.230 to discuss later. So to really understand the 00:11:23.230 --> 00:11:25.490 scale of their indispensable status, let's look 00:11:25.490 --> 00:11:27.809 at the raw financial trajectory over five fiscal 00:11:27.809 --> 00:11:30.610 years. This really appeals to the listener interested 00:11:30.610 --> 00:11:33.309 in scale and metrics. Okay, so if we break down 00:11:33.309 --> 00:11:36.090 the revenue figures, which end on January 31st 00:11:36.090 --> 00:11:38.350 each year, the adoption rate of their Falcon 00:11:38.350 --> 00:11:41.360 platform becomes, well, abundantly clear. So 00:11:41.360 --> 00:11:44.220 starting small in fiscal year 2020, revenues 00:11:44.220 --> 00:11:48.960 stood at $481 .4 million. Then by fiscal year 00:11:48.960 --> 00:11:51.919 2024, they had crossed the $3 billion mark, reaching 00:11:51.919 --> 00:11:56.600 $3 .06 billion. That was a 36 % increase over 00:11:56.600 --> 00:11:59.299 the prior year, FY23. And the projected growth 00:11:59.299 --> 00:12:01.519 remains steep, which validates the whole investor 00:12:01.519 --> 00:12:05.519 thesis. For FY2025, revenue hit $3 .95 billion. 00:12:05.879 --> 00:12:08.059 But maybe more telling than the revenue itself 00:12:08.059 --> 00:12:10.679 is the operational cash flow. In FY20... 2020 00:12:10.679 --> 00:12:14.179 net cash flow from operations was $99 .9 million. 00:12:14.480 --> 00:12:17.659 By FY 2025, that figure had skyrocketed to $1 00:12:17.659 --> 00:12:20.759 .38 billion. I mean, that level of cash generation 00:12:20.759 --> 00:12:23.240 suggests high margins, very efficient scaling, 00:12:23.259 --> 00:12:25.960 and critically, customer stickiness. Once Falcon 00:12:25.960 --> 00:12:27.879 is deployed in an organization, it is rarely 00:12:27.879 --> 00:12:31.519 removed. That's compelling. But wait, how does 00:12:31.519 --> 00:12:33.980 a company that started with this high -cost, 00:12:34.000 --> 00:12:37.279 high -touch forensic consulting scale to billions 00:12:37.279 --> 00:12:40.450 in software revenue? Was this strategy just that 00:12:40.450 --> 00:12:42.509 good, or did they aggressively buy their market 00:12:42.509 --> 00:12:45.149 share? Well, the acquisition strategy is where 00:12:45.149 --> 00:12:46.669 we see the answer. It's really a combination 00:12:46.669 --> 00:12:49.610 of both. Right. The core Falcon platform was 00:12:49.610 --> 00:12:52.330 strong, but the digital threat landscape changes 00:12:52.330 --> 00:12:55.029 constantly, especially with the rapid shift to 00:12:55.029 --> 00:12:57.169 cloud infrastructure. CrowdStrike realized they 00:12:57.169 --> 00:12:59.169 needed to be everywhere the data was, not just 00:12:59.169 --> 00:13:01.409 on the physical endpoint. So their aggressive 00:13:01.409 --> 00:13:03.909 acquisition strategy was designed to rapidly 00:13:03.909 --> 00:13:06.629 integrate all these new capabilities into the 00:13:06.629 --> 00:13:08.980 Falcon ecosystem. Exactly. They weren't just 00:13:08.980 --> 00:13:11.019 buying companies for headcount. They were filling 00:13:11.019 --> 00:13:15.000 specific critical capability gaps. The acquisitions 00:13:15.000 --> 00:13:17.320 themselves, they tell the story of their strategic 00:13:17.320 --> 00:13:20.899 evolution from pure EDR to a comprehensive security 00:13:20.899 --> 00:13:23.720 platform. Take their 2017 acquisition of Payload 00:13:23.720 --> 00:13:26.879 Security. That brought in automated malware analysis 00:13:26.879 --> 00:13:29.700 sandbox technology, which just sped up their 00:13:29.700 --> 00:13:32.080 ability to understand new threats. Then a few 00:13:32.080 --> 00:13:36.320 years later, in 2020, they paid $96 million for 00:13:36.320 --> 00:13:39.809 preempt security. This was crucial for identity 00:13:39.809 --> 00:13:42.389 security. It was. It integrated zero trust and 00:13:42.389 --> 00:13:44.690 conditional access capabilities directly into 00:13:44.690 --> 00:13:47.850 their platform. And that move, it signaled the 00:13:47.850 --> 00:13:50.429 recognition that identity, you know, who you 00:13:50.429 --> 00:13:53.009 are and what you have access to, was replacing 00:13:53.009 --> 00:13:55.529 the traditional network perimeter. as the primary 00:13:55.529 --> 00:13:57.690 attack surface. Then came the integration of 00:13:57.690 --> 00:14:01.169 massive data capabilities. In 2021, they spent 00:14:01.169 --> 00:14:04.590 $400 million on Humio, a really robust Danish 00:14:04.590 --> 00:14:07.210 log management platform. Humio was a massive 00:14:07.210 --> 00:14:09.350 strategic purchase. Oh, it was huge because it 00:14:09.350 --> 00:14:11.549 allowed CrowdStrike to pull in and analyze these 00:14:11.549 --> 00:14:14.149 huge volumes of telemetry data from all sorts 00:14:14.149 --> 00:14:16.330 of sources beyond just the endpoint logs, cloud 00:14:16.330 --> 00:14:18.429 infrastructure, network traffic. It's foundational 00:14:18.429 --> 00:14:20.730 for true extended detection and response, or 00:14:20.730 --> 00:14:23.330 XDR. And later that same year, they bought Secure 00:14:23.330 --> 00:14:26.240 Circle. a sauce -based service that pushed that 00:14:26.240 --> 00:14:28.679 zero -trust philosophy even further by protecting 00:14:28.679 --> 00:14:30.879 the data itself, regardless of where it moved. 00:14:31.179 --> 00:14:33.539 And they just continue to aggressively acquire, 00:14:33.960 --> 00:14:36.039 often targeting the innovation hub in Israel. 00:14:36.240 --> 00:14:39.440 In 2024 alone, they bought Flow Security for 00:14:39.440 --> 00:14:43.120 $200 million and Adaptive Shield for $300 million. 00:14:43.679 --> 00:14:46.080 Both of which were focused heavily on cloud security 00:14:46.080 --> 00:14:48.840 posture and identity governance. It's a clear 00:14:48.840 --> 00:14:50.879 indication that cloud protection had become their 00:14:50.879 --> 00:14:54.360 central focus. Even looking ahead, the 2025 agreement 00:14:54.360 --> 00:14:57.460 to acquire Onum, which focuses on managing real 00:14:57.460 --> 00:15:00.500 -time telemetry pipelines, it just confirms that 00:15:00.519 --> 00:15:02.940 this constant evolution toward comprehensive 00:15:02.940 --> 00:15:05.600 data management. The pace of these acquisitions, 00:15:05.600 --> 00:15:07.740 what is it, 10 major companies in eight years? 00:15:07.879 --> 00:15:10.309 Yeah. It shows that to maintain their dominance, 00:15:10.470 --> 00:15:12.370 they recognized they had to constantly integrate 00:15:12.370 --> 00:15:14.450 new technologies. They couldn't just rely on 00:15:14.450 --> 00:15:16.529 organic development of the original Falcon system. 00:15:16.769 --> 00:15:19.049 And this constant evolution is also evident in 00:15:19.049 --> 00:15:21.850 their own product innovation. In 2020 and 2022, 00:15:22.250 --> 00:15:24.909 they launched an evolved Falcon identity threat 00:15:24.909 --> 00:15:26.850 protection. Then came the inevitable industry 00:15:26.850 --> 00:15:29.669 shift toward artificial intelligence. In 2023, 00:15:29.990 --> 00:15:32.190 they introduced Charlotte AI. Right, which they 00:15:32.190 --> 00:15:34.789 pitched as a generative AI security analyst designed 00:15:34.789 --> 00:15:37.190 to enhance automated threat triaging and response. 00:15:37.799 --> 00:15:39.919 They're essentially building an AI -powered security 00:15:39.919 --> 00:15:43.220 copilot for their enterprise users. They even 00:15:43.220 --> 00:15:45.779 democratized customization with Falcon Foundry 00:15:45.779 --> 00:15:48.940 in 2023, which is a no -code application development 00:15:48.940 --> 00:15:51.320 platform. The goal is to make their platform 00:15:51.320 --> 00:15:54.200 so comprehensive, so customizable, and so easy 00:15:54.200 --> 00:15:56.879 to use that no customer ever needs to look elsewhere. 00:15:57.200 --> 00:15:59.659 And as you move up that threat chain... You're 00:15:59.659 --> 00:16:02.019 tracking state sponsored actors. You're defending 00:16:02.019 --> 00:16:04.059 critical infrastructure. You're generating billions 00:16:04.059 --> 00:16:08.440 in revenue. You inevitably become intensely intertwined 00:16:08.440 --> 00:16:11.399 with one client above all others. Yeah. The U 00:16:11.399 --> 00:16:13.679 .S. government. Absolutely. The sources confirm 00:16:13.679 --> 00:16:16.019 a clear strategic focus on working with the U 00:16:16.019 --> 00:16:17.779 .S. government and selling their services to 00:16:17.779 --> 00:16:20.559 federal agencies. When your product is integral 00:16:20.559 --> 00:16:23.139 to national defense, political engagement isn't 00:16:23.139 --> 00:16:25.200 optional. It's a necessary cost of doing business. 00:16:25.360 --> 00:16:27.559 Exactly. And their federal lobbying spending 00:16:27.559 --> 00:16:31.340 reflects this priority. It exceeded $620 ,000 00:16:31.340 --> 00:16:34.320 in 2023, and they were on track to set a new 00:16:34.320 --> 00:16:37.360 record in 2024. So when you combine that level 00:16:37.360 --> 00:16:40.340 of financial scale, technical indispensable status, 00:16:40.480 --> 00:16:43.179 and that high -level government engagement, you 00:16:43.179 --> 00:16:45.399 are dealing with a company that is not just a 00:16:45.399 --> 00:16:48.759 technology vendor, it's a critical geopolitical 00:16:48.759 --> 00:16:51.149 actor. And nowhere was that geopolitical influence 00:16:51.149 --> 00:16:53.769 tested more controversially than in the attribution 00:16:53.769 --> 00:16:56.710 of Russian hacking. So if Section 1 established 00:16:56.710 --> 00:16:59.590 CrowdStrike's reputation for, you know, catching 00:16:59.590 --> 00:17:02.850 spies, this section details the moment that that 00:17:02.850 --> 00:17:05.210 reputation became tangled in international controversy 00:17:05.210 --> 00:17:08.829 and domestic political firestorms. Yeah, we have 00:17:08.829 --> 00:17:10.430 to look closely at their role in investigating 00:17:10.430 --> 00:17:13.670 the 2015 -2016 cyber attacks on the Democratic 00:17:13.670 --> 00:17:16.619 National Committee, the DNC. This is a foundational 00:17:16.619 --> 00:17:19.220 event in modern cyber history. CrowdStrike was 00:17:19.220 --> 00:17:20.880 brought in to investigate the breach and their 00:17:20.880 --> 00:17:23.299 eventual conclusions that the attacks were the 00:17:23.299 --> 00:17:25.799 work of Russian intelligence services, specifically 00:17:25.799 --> 00:17:30.180 APT28 or Fancy Bear and APT29 Cozy Bear. Those 00:17:30.180 --> 00:17:32.160 conclusions became absolutely central to the 00:17:32.160 --> 00:17:34.140 public narrative surrounding foreign interference. 00:17:34.960 --> 00:17:36.880 And that conclusion was reached alongside other 00:17:36.880 --> 00:17:39.160 highly respected firms like Mandiant and Threat 00:17:39.160 --> 00:17:42.779 Connect. So in March 2017, then FBI Director 00:17:42.779 --> 00:17:45.920 James Comey testified before Congress, citing 00:17:45.920 --> 00:17:48.500 these private sector firms and stating that they 00:17:48.500 --> 00:17:50.920 concluded with high certainty that the hack was 00:17:50.920 --> 00:17:53.039 the work of known Russian intelligence services. 00:17:53.420 --> 00:17:55.880 That is immense weight to give to a private firm's 00:17:55.880 --> 00:17:59.079 findings. But here's where the procedural controversy 00:17:59.079 --> 00:18:01.960 and the structural insight for our listener emerges. 00:18:02.220 --> 00:18:06.200 Right. Because earlier in January 2017, Director 00:18:06.200 --> 00:18:08.539 Comey had also testified that the FBI itself 00:18:08.539 --> 00:18:11.900 was actually denied direct forensic access to 00:18:11.900 --> 00:18:14.519 the physical DNC servers. They had to rely instead 00:18:14.519 --> 00:18:17.380 on shared images, logs and evidence that was 00:18:17.380 --> 00:18:19.940 provided by CrowdStrike. This is a crucial point. 00:18:19.980 --> 00:18:21.980 It raises a really important question about the 00:18:21.980 --> 00:18:24.140 line between private sector intelligence and 00:18:24.140 --> 00:18:26.660 national security investigations. For years, 00:18:26.759 --> 00:18:28.559 the federal government has specialized forensic 00:18:28.559 --> 00:18:31.319 capabilities. But in this incredibly high profile 00:18:31.319 --> 00:18:33.859 case, the evidence trail that shaped the entire 00:18:33.859 --> 00:18:36.259 U .S. political landscape was generated, curated 00:18:36.259 --> 00:18:39.099 and handed over by a private for -profit technology 00:18:39.099 --> 00:18:42.519 company. It just illustrates how profoundly reliant 00:18:42.519 --> 00:18:44.940 federal agencies have become on the specialized 00:18:44.940 --> 00:18:48.779 deep access expertise of companies like CrowdStrike. 00:18:49.079 --> 00:18:52.259 Especially when a breach spans complex cloud 00:18:52.259 --> 00:18:54.759 environments and internal corporate systems that 00:18:54.759 --> 00:18:56.819 the FBI can't just walk into without a subpoena 00:18:56.819 --> 00:18:59.819 or where the owners prefer the speed and discretion 00:18:59.819 --> 00:19:01.740 of a private vendor. McCree is a fascinating 00:19:01.740 --> 00:19:04.079 power dynamic. The firm with the most sophisticated 00:19:04.079 --> 00:19:06.619 visibility into the threat often dictates the 00:19:06.619 --> 00:19:08.440 evidence that the government ultimately relies 00:19:08.440 --> 00:19:11.319 upon for its conclusions. But the DNC hack wasn't 00:19:11.319 --> 00:19:13.460 the only attribution report involving Russian 00:19:13.460 --> 00:19:16.519 entities that generated controversy and required 00:19:16.519 --> 00:19:19.660 significant scrutiny. We need to do a deep dive 00:19:19.660 --> 00:19:22.339 into the 2016 Ukrainian artillery app incident 00:19:22.339 --> 00:19:24.700 because it's a perfect case study in the difficulty 00:19:24.700 --> 00:19:27.920 of verifying facts in a contested geopolitical 00:19:27.920 --> 00:19:30.960 domain. Okay, so in December 2016, CrowdStrike 00:19:30.960 --> 00:19:33.460 released a highly detailed report. They claimed 00:19:33.460 --> 00:19:35.160 that the Russian government -affiliated group 00:19:35.160 --> 00:19:38.200 Fancy Bear had hacked a specialized Ukrainian 00:19:38.200 --> 00:19:41.420 artillery app called Artos. An app that was reportedly 00:19:41.420 --> 00:19:44.140 used on tablet PCs for fire control calculations 00:19:44.140 --> 00:19:46.539 right there in the field. And their conclusion 00:19:46.539 --> 00:19:49.720 had these immediate, tangible battlefield implications. 00:19:50.779 --> 00:19:53.000 CrowdStrike's report alleged that Russia had 00:19:53.000 --> 00:19:56.279 used this hack to cause large losses for Ukrainian 00:19:56.279 --> 00:19:58.819 artillery units. They detailed their findings, 00:19:58.940 --> 00:20:01.059 too. They specifically noted the distribution 00:20:01.059 --> 00:20:05.339 of a hacked variation of the POPR -D30 app, which 00:20:05.339 --> 00:20:07.460 used a specific piece of malware known as the 00:20:07.460 --> 00:20:10.460 X -Agent implant on Ukrainian military forums. 00:20:10.720 --> 00:20:13.180 It looked like irrefutable evidence of Russian 00:20:13.180 --> 00:20:15.920 cyber warfare translating... directly into kinetic 00:20:15.920 --> 00:20:18.339 battlefield results. But the problem arose almost 00:20:18.339 --> 00:20:21.259 immediately when authoritative sources provided 00:20:21.259 --> 00:20:24.440 a strong rebuttal and, frankly, a contradiction 00:20:24.440 --> 00:20:27.579 to the report's most dramatic claim, the large 00:20:27.579 --> 00:20:30.819 losses. Right. The UK -based think tank, the 00:20:30.819 --> 00:20:33.059 International Institute for Strategic Studies, 00:20:33.220 --> 00:20:36.180 or IS, publicly challenged the finding. They 00:20:36.180 --> 00:20:38.000 stated that CrowdStrike had wrongly used their 00:20:38.000 --> 00:20:40.599 data, and they denied that hacking was the cause 00:20:40.599 --> 00:20:42.900 of the reported artillery losses. And even more 00:20:42.900 --> 00:20:44.640 pointedly, the Ukrainian Ministry of Defense 00:20:44.640 --> 00:20:47.220 publicly rejected the CrowdStrike report. They 00:20:47.220 --> 00:20:49.559 stated on the record that the actual losses suffered 00:20:49.559 --> 00:20:52.019 by their artillery units were much smaller than 00:20:52.019 --> 00:20:54.259 what CrowdStrike had reported. And crucially, 00:20:54.420 --> 00:20:57.140 they emphasized that these losses were not associated 00:20:57.140 --> 00:20:59.539 with Russian hacking. This is where the complexity 00:20:59.539 --> 00:21:02.359 really hits home. You have a powerful, authoritative 00:21:02.359 --> 00:21:05.099 U .S. defense contractor stating one thing and 00:21:05.099 --> 00:21:07.559 the military of the allegedly affected nation 00:21:07.559 --> 00:21:10.500 state publicly stating the exact opposite. It 00:21:10.500 --> 00:21:13.180 forces you to ask, what are the incentives at 00:21:13.180 --> 00:21:15.619 play here? CrowdStrike's incentive is often speed, 00:21:15.859 --> 00:21:18.519 attribution, and, you know, marketing their unique 00:21:18.519 --> 00:21:20.759 insight. While the Ukrainian military's incentive 00:21:20.759 --> 00:21:24.900 is secrecy, battlefield morale. and control over 00:21:24.900 --> 00:21:27.559 their own sensitive operational data. It creates 00:21:27.559 --> 00:21:30.619 an immense fog of war. However, later research 00:21:30.619 --> 00:21:32.839 did lend significant credence to the fundamental 00:21:32.839 --> 00:21:35.660 claim of targeting, even if the claimed operational 00:21:35.660 --> 00:21:38.279 impact was disputed. Right. The cybersecurity 00:21:38.279 --> 00:21:41.000 firm SecureWorks later published research showing 00:21:41.000 --> 00:21:43.460 a list of email addresses that had been targeted 00:21:43.460 --> 00:21:46.099 by fancy bear phishing attacks. And that list 00:21:46.099 --> 00:21:48.819 included the email address of Yaroslav Shurstik, 00:21:48.960 --> 00:21:52.240 the very developer of the ArtOS app that CrowdStrike 00:21:52.240 --> 00:21:54.809 had named in their original... And this targeting 00:21:54.809 --> 00:21:57.490 was subsequently confirmed by other major outlets. 00:21:57.809 --> 00:22:00.549 The Associated Press and Radio Free Europe Research 00:22:00.549 --> 00:22:03.710 noted that this supporting evidence lends some 00:22:03.710 --> 00:22:05.630 credence to the original CrowdStrike report, 00:22:05.869 --> 00:22:08.630 showing that the app had, in fact, been targeted. 00:22:08.950 --> 00:22:11.809 So the conclusion we draw here is nuanced. Fancy 00:22:11.809 --> 00:22:13.950 Bear was definitely targeting the app developer. 00:22:14.109 --> 00:22:17.049 That confirms CrowdStrike's highly accurate attribution 00:22:17.049 --> 00:22:19.450 and specific intelligence on the adversary's 00:22:19.450 --> 00:22:22.609 priorities. However... The dramatic claim about 00:22:22.609 --> 00:22:25.430 battlefield losses, the most consequential part 00:22:25.430 --> 00:22:28.369 of the report, was definitively rejected by the 00:22:28.369 --> 00:22:30.490 Ministry of Defense on the ground. This entire 00:22:30.490 --> 00:22:33.009 section just reinforces the high -risk environment 00:22:33.009 --> 00:22:35.650 in which CrowdStrike operates. They are dealing 00:22:35.650 --> 00:22:38.450 with national security, political sensitivities, 00:22:38.509 --> 00:22:42.130 and complex, rapidly changing intelligence. Their 00:22:42.130 --> 00:22:44.250 ability to catch spies and attribute attacks 00:22:44.250 --> 00:22:46.910 is unparalleled. But their willingness to be 00:22:46.910 --> 00:22:49.549 so definitive about complex operational outcomes 00:22:49.549 --> 00:22:52.920 was seriously tested. And that high certainty, 00:22:53.019 --> 00:22:55.819 that indispensable status, the power they accumulated 00:22:55.819 --> 00:22:59.039 over a decade of fighting nation states, is precisely 00:22:59.039 --> 00:23:01.400 what made them so dangerous when they finally 00:23:01.400 --> 00:23:04.000 malfunctioned from within. We now move to the 00:23:04.000 --> 00:23:07.099 ultimate moment of unintended consequence. We've 00:23:07.099 --> 00:23:10.119 established CrowdStrike's essential role as this 00:23:10.119 --> 00:23:12.740 multi -billion dollar guardian of global systems. 00:23:13.079 --> 00:23:16.140 Now we have to analyze the day that Guardian 00:23:16.140 --> 00:23:19.140 turned into the ultimate global disruptor. July 00:23:19.140 --> 00:23:22.789 19th, 2024. The sheer mundanity of the cause 00:23:22.789 --> 00:23:25.190 is what makes the catastrophe even more profound. 00:23:25.509 --> 00:23:28.710 The incident trigger was a routine software configuration 00:23:28.710 --> 00:23:31.829 file update. Known as Channel File 291, it was 00:23:31.829 --> 00:23:33.970 pushed out to the Falcon Endpoint Detection and 00:23:33.970 --> 00:23:36.829 Response Agent. A single, non -executable configuration 00:23:36.829 --> 00:23:39.529 file. That's all it took. Flaws within that update 00:23:39.529 --> 00:23:41.950 caused a massive logic error deep inside the 00:23:41.950 --> 00:23:43.950 Falcon sensor software. And because that sensor 00:23:43.950 --> 00:23:46.329 runs with extreme, low -level privileges, which 00:23:46.329 --> 00:23:48.410 it needs to detect rootkits and advanced threats, 00:23:48.650 --> 00:23:51.119 the failure was absolute. The result was the 00:23:51.119 --> 00:23:54.539 blue screen of death, the BSOD, on millions of 00:23:54.539 --> 00:23:57.140 Microsoft Windows machines worldwide. But it 00:23:57.140 --> 00:24:00.660 wasn't just a single crash. The logic error forced 00:24:00.660 --> 00:24:03.119 the affected computers into an unusable boot 00:24:03.119 --> 00:24:05.619 loop. Okay, let's explain the digital catch -22 00:24:05.619 --> 00:24:08.000 for the listener. The system would attempt to 00:24:08.000 --> 00:24:11.019 start Windows. Right. But before Windows could 00:24:11.019 --> 00:24:13.680 stabilize or even connect to the network, the 00:24:13.680 --> 00:24:16.079 Falcon agent running deep in the operating system 00:24:16.079 --> 00:24:19.700 would execute the faulty channel file 291. The 00:24:19.700 --> 00:24:22.099 logic error would trigger the system crash, which 00:24:22.099 --> 00:24:24.299 would then immediately cause a reboot, starting 00:24:24.299 --> 00:24:26.359 the whole cycle over and over again. The device 00:24:26.359 --> 00:24:28.980 was effectively bricked. It was unable to reach 00:24:28.980 --> 00:24:30.940 a stable environment long enough to receive a 00:24:30.940 --> 00:24:33.039 fix. And this is where the scale of their success 00:24:33.039 --> 00:24:36.250 became the scale of the disaster. Because CrowdStrike's 00:24:36.250 --> 00:24:39.289 Falcon sensor is so widely adopted by major corporations, 00:24:39.769 --> 00:24:41.930 governments, critical infrastructure providers 00:24:41.930 --> 00:24:45.690 globally. A single flawed file caused chaos rarely 00:24:45.690 --> 00:24:48.410 seen in the history of IT. This is where it gets 00:24:48.410 --> 00:24:51.329 terrifying. The real world impact. We aren't 00:24:51.329 --> 00:24:53.930 talking about slow email. We saw commercial airline 00:24:53.930 --> 00:24:56.569 flights grounded worldwide because the systems 00:24:56.569 --> 00:24:58.470 integral to flight planning, gate operations, 00:24:58.609 --> 00:25:03.049 and air traffic control were just disabled. Disruptions 00:25:03.049 --> 00:25:05.630 swept through critical services. Banking systems 00:25:05.630 --> 00:25:08.349 couldn't process transactions. Hospitals were 00:25:08.349 --> 00:25:10.630 struggling with patient records. Broadcaster, 00:25:10.750 --> 00:25:13.269 including Sky News, were temporarily taken offline. 00:25:13.650 --> 00:25:15.730 And the most alarming public safety crisis came 00:25:15.730 --> 00:25:18.369 from the disruption to 911 emergency call centers 00:25:18.369 --> 00:25:20.690 across the U .S. The reliance on this single 00:25:20.690 --> 00:25:23.509 piece of software was made painfully clear. It 00:25:23.509 --> 00:25:25.569 highlighted that the centralization of defense 00:25:25.569 --> 00:25:28.809 software, while efficient, creates a single point 00:25:28.809 --> 00:25:31.509 of failure that bypasses all traditional system 00:25:31.509 --> 00:25:34.490 redundancies. So once the flaw was identified, 00:25:35.000 --> 00:25:37.740 CrowdStrike issued a patch. But as we discussed, 00:25:38.000 --> 00:25:40.039 the technical mechanism of the failure itself 00:25:40.039 --> 00:25:42.440 created the ultimate challenge for remediation. 00:25:42.740 --> 00:25:45.000 How do you patch a computer that can't stay online 00:25:45.000 --> 00:25:47.559 long enough to download the patch? IT administrators 00:25:47.559 --> 00:25:51.079 worldwide were in a desperate scramble. The recommended 00:25:51.079 --> 00:25:53.460 solution involved these highly manual, labor 00:25:53.460 --> 00:25:55.859 -intensive steps. You had to boot the devices 00:25:55.859 --> 00:25:58.259 into safe mode or the Windows recovery environment 00:25:58.259 --> 00:26:02.009 to manually delete channel file 291. But this 00:26:02.009 --> 00:26:04.589 fix was just fraught with complexity in a large 00:26:04.589 --> 00:26:06.650 enterprise environment. Think about the barriers. 00:26:07.369 --> 00:26:10.210 This manual deletion required local administrator 00:26:10.210 --> 00:26:13.109 access, which is often tightly restricted in 00:26:13.109 --> 00:26:15.430 large corporate settings to prevent security 00:26:15.430 --> 00:26:18.089 breaches. And for companies that used Microsoft's 00:26:18.089 --> 00:26:20.930 robust encryption, BitLocker, the administrator 00:26:20.930 --> 00:26:23.589 often needed the BitLocker recovery key just 00:26:23.589 --> 00:26:26.170 to access the command prompt. Which is an extra 00:26:26.170 --> 00:26:28.630 layer of complication that turned a simple software 00:26:28.630 --> 00:26:31.849 bug into a multi -hour recovery process per machine. 00:26:32.269 --> 00:26:34.309 The anecdotes from the ground were just chaotic. 00:26:34.769 --> 00:26:37.109 Microsoft even reported that some customers found 00:26:37.109 --> 00:26:39.930 a solution solely by rebooting the impacted devices 00:26:39.930 --> 00:26:42.750 up to 15 times in succession. Just hoping that 00:26:42.750 --> 00:26:45.490 sheer luck would allow Windows to start in a 00:26:45.490 --> 00:26:48.369 state that bypassed the sensor's error just long 00:26:48.369 --> 00:26:50.349 enough for the system to stabilize or receive 00:26:50.349 --> 00:26:52.750 the patch. That is not a procedure. That is an 00:26:52.750 --> 00:26:55.549 act of desperation on a massive scale. And the 00:26:55.549 --> 00:26:58.089 financial fallout was immediate and staggering. 00:26:58.559 --> 00:27:01.019 Independent estimates put the cost to Fortune 00:27:01.019 --> 00:27:04.619 500 companies alone at approximately $5 .4 billion. 00:27:05.099 --> 00:27:07.980 That's due to downtime, lost productivity, and 00:27:07.980 --> 00:27:10.359 all the remediation costs. CrowdStrike stock 00:27:10.359 --> 00:27:13.019 reflected the panic. On the day of the incident, 00:27:13.140 --> 00:27:17.119 shares closed down 11 .10%, a loss of $38 .09 00:27:17.119 --> 00:27:20.960 per share, and then fell another 13 .46 % two 00:27:20.960 --> 00:27:23.309 days later. The company immediately went into 00:27:23.309 --> 00:27:25.789 severe crisis management mode. They published 00:27:25.789 --> 00:27:28.049 a preliminary post -incident review five days 00:27:28.049 --> 00:27:30.690 later, followed by a detailed root cause analysis 00:27:30.690 --> 00:27:34.200 on August 6, 2024. And then came the attempt 00:27:34.200 --> 00:27:36.619 at an apology to their distribution channel partners, 00:27:36.859 --> 00:27:39.299 the resellers and providers who fielded the majority 00:27:39.299 --> 00:27:41.960 of the customer anger and spent days fixing machines. 00:27:42.319 --> 00:27:44.559 Yes, the now infamous apology. It reportedly 00:27:44.559 --> 00:27:46.819 involves sending emails containing Uber Eats 00:27:46.819 --> 00:27:49.940 gift cards. Worth $10. $10. Given that the incident 00:27:49.940 --> 00:27:52.079 cost their customers billions, the sheer tone 00:27:52.079 --> 00:27:54.339 deafness of a $10 meal voucher as compensation 00:27:54.339 --> 00:27:57.160 for crippling global infrastructure drew significant 00:27:57.160 --> 00:28:00.400 and frankly understandable backlash. It's just 00:28:00.400 --> 00:28:02.579 an example of corporate communication completely 00:28:02.579 --> 00:28:05.259 failing to grasp the gravity of the systemic 00:28:05.259 --> 00:28:08.519 failure they caused. The financial scale and 00:28:08.519 --> 00:28:11.180 the public impact demanded a much more profound 00:28:11.180 --> 00:28:13.519 gesture than a thank you for dealing with the 00:28:13.519 --> 00:28:17.680 mess. So beyond the apology, what were the long 00:28:17.680 --> 00:28:20.279 -term structural mitigation steps they implemented 00:28:20.279 --> 00:28:23.359 to ensure this specific point of failure never 00:28:23.359 --> 00:28:26.019 triggers a global collapse again? Well, the focus 00:28:26.019 --> 00:28:28.460 was on decentralizing the risks that was introduced 00:28:28.460 --> 00:28:30.759 by their rapid release content configuration 00:28:30.759 --> 00:28:34.400 system. CrowdStrike detailed several key process 00:28:34.400 --> 00:28:36.680 improvements in their subsequent reports. They 00:28:36.680 --> 00:28:39.380 implemented new content configuration test procedures 00:28:39.380 --> 00:28:42.160 and added additional deployment layers and acceptance 00:28:42.160 --> 00:28:44.960 checks for the content configuration system before 00:28:44.960 --> 00:28:47.319 it could ever reach end users. Which was an admission 00:28:47.319 --> 00:28:49.940 that their internal QA process was simply not 00:28:49.940 --> 00:28:52.019 commensurate with the criticality of their product. 00:28:52.299 --> 00:28:54.000 And they also brought in outside validation, 00:28:54.319 --> 00:28:57.099 recognizing that internal review just wasn't 00:28:57.099 --> 00:28:59.960 enough. That's right. They engaged two independent 00:28:59.960 --> 00:29:02.359 third -party vendors to thoroughly review the 00:29:02.359 --> 00:29:05.119 Falcon sensor code, their quality control processes, 00:29:05.440 --> 00:29:08.420 and the entire content release mechanism. And 00:29:08.420 --> 00:29:10.559 critically, they changed the rollout methodology 00:29:10.559 --> 00:29:13.059 for updates to empower their enterprise clients. 00:29:13.420 --> 00:29:16.690 Yes. they began staggering update rollouts which 00:29:16.690 --> 00:29:19.130 allows users to select their preferred timing 00:29:19.130 --> 00:29:22.529 for receiving major configurations this prevents 00:29:22.529 --> 00:29:25.950 a single flawed file from simultaneously impacting 00:29:25.950 --> 00:29:28.769 every single customer worldwide so it effectively 00:29:28.769 --> 00:29:31.950 turns a catastrophic single point of failure 00:29:31.950 --> 00:29:34.789 into a staggered controlled deployment failure 00:29:34.789 --> 00:29:37.190 exactly it is the ultimate lesson in the consequences 00:29:37.190 --> 00:29:40.390 of success their ability to integrate so deeply 00:29:40.390 --> 00:29:42.930 into the core operating system which is what 00:29:42.930 --> 00:29:45.150 made them the most effective defense simultaneously 00:29:45.150 --> 00:29:47.549 made them the most effective single point of 00:29:47.549 --> 00:29:49.910 failure. When we synthesize the entire journey 00:29:49.910 --> 00:29:52.269 of CrowdStrike, from its founding by intelligence 00:29:52.269 --> 00:29:54.910 experts dedicated to catching sophisticated state 00:29:54.910 --> 00:29:57.150 -sponsored groups, to its aggressive financial 00:29:57.150 --> 00:29:59.710 scaling into a multi -billion dollar utility, 00:30:00.029 --> 00:30:03.390 we see this profound paradox. They mastered the 00:30:03.390 --> 00:30:06.250 highest level of cyber defense. They were tracking 00:30:06.250 --> 00:30:09.089 complex entities like Chinese military units 00:30:09.089 --> 00:30:11.890 and Russian intelligence services, accumulating 00:30:11.890 --> 00:30:14.470 the necessary financial and political power to 00:30:14.470 --> 00:30:16.829 become truly indispensable to global governance. 00:30:17.630 --> 00:30:20.069 And yet this indispensable status meant that 00:30:20.069 --> 00:30:22.430 when they introduced a single line of bad logic, 00:30:22.609 --> 00:30:25.630 it triggered an unprecedented global infrastructure 00:30:25.630 --> 00:30:28.730 failure. They built the master lock only to accidentally 00:30:28.730 --> 00:30:31.089 break the master key. The concentration risk 00:30:31.089 --> 00:30:33.930 is the key takeaway here. Their ability to generate 00:30:33.930 --> 00:30:37.710 $3 .95 billion in revenue. to become an S &P 00:30:37.710 --> 00:30:40.710 500 component was built on the necessary technical 00:30:40.710 --> 00:30:43.690 deep access of the Falcon sensor. And that deep 00:30:43.690 --> 00:30:45.609 access is what allowed them to protect critical 00:30:45.609 --> 00:30:48.049 systems airports and 9 -11 centers. But it is 00:30:48.049 --> 00:30:50.710 also what gave them the systemic power to globally 00:30:50.710 --> 00:30:53.349 paralyze those very systems with a single flawed 00:30:53.349 --> 00:30:55.990 configuration file. Costing the global economy 00:30:55.990 --> 00:31:00.490 $5 .4 billion. The entire narrative boils down 00:31:00.490 --> 00:31:02.609 to the question of who holds the power in the 00:31:02.609 --> 00:31:05.500 digital age. A single private sector security 00:31:05.500 --> 00:31:08.119 agent running deep inside the operating systems 00:31:08.119 --> 00:31:10.079 of global commerce and critical infrastructure 00:31:10.079 --> 00:31:13.140 has the power to protect against a nation state 00:31:13.140 --> 00:31:16.079 attack one day. And cause a major physical infrastructure 00:31:16.079 --> 00:31:18.640 collapse the next. So we leave you with this 00:31:18.640 --> 00:31:21.740 final provocative thought. As we continue to 00:31:21.740 --> 00:31:24.480 centralize our defenses, moving further into 00:31:24.480 --> 00:31:27.420 cloud infrastructure and relying on AI driven, 00:31:27.619 --> 00:31:30.740 highly integrated security platforms, we are 00:31:30.740 --> 00:31:34.019 trading complexity for concentration. Does this 00:31:34.019 --> 00:31:36.460 concentration of defensive power ultimately create 00:31:36.460 --> 00:31:39.000 more stability? Or does it introduce a greater, 00:31:39.059 --> 00:31:41.740 more volatile systemic risk? And how should global 00:31:41.740 --> 00:31:44.759 governments regulate or even control the few 00:31:44.759 --> 00:31:47.119 private companies whose operational errors can 00:31:47.119 --> 00:31:49.359 bring the global economy to a complete standstill? 00:31:49.519 --> 00:31:51.740 Think about the answer to that. Until next time. 00:31:51.799 --> 00:31:54.099 The Deep Dive. Done.